An outside company is redoing our company Intranet. During some basic usage I disovered that the "User Edit" screens, with the "Password: *" boxes have the password in plain text, with the text box "type=password" to "hide" the password.

The passwords are not store in the database as plain text, they are stored encrypted using "rijndael-256" cypher using the mcrypt module.

I know that if I encrypt a password with SHA*, the password is "Unrecoverable" via one-way encryption. Is the same of MCrypt Rijndael-256 encryption? Shouldn't an encrypted password be un-recoverable? Are they blowing smoke up my rear or just using the wrong technology?

1 Answer
1

SHA* or MD5 are not encryption. They generate hashes. Hashes are one way, in that once you have something it is unrecoverable (unless you have a known value associated with a known hash). Hashes are ok for non-critical passwords.

You may recall recent news where LinkedIn had a number of accounts stolen. Attackers got a copy of their user table. Their passwords were stored as hashes and using a huge look up tables of all possible values of a type hash, attackers were able to get login credentials for users.

Encryption is the process of using specific mathematical algorithms to turn the data in to 'useless', unintelligible data. Encryption is designed to be reversible. Encryption uses a 'key' to perform the encryption/decryption and as long as you possess that key you can decrypt the encrypted information. If you dispose of/lose the key, the data is useless. In this way, an attacker would need both your data and your encryption key (or alot of time and a sufficiently large number of processors) for the data to be usable.

In short, Encryption is reversible provided you have the key and is preferable to hashing.

I guess your right, I am confusing Hashing with Encrypting. Your also right to bring up events like LinkedIn, because the place I work for handles very sensitive information.
–
WernerCDJul 2 '12 at 22:11